A new web standard is expected to kill passwords, meaning users will no longer have to remember difficult logins for each and every website or service they use.

The Web Authentication (WebAuthn) standard is designed to replace the password with biometrics and devices that users already own, such as a security key, a smartphone, a fingerprint scanner or webcam.

Instead of having to remember an increasingly long string of characters, users can authenticate their login with their body or something they have in their possession, communicating directly with the website via Bluetooth, USB or NFC.

“WebAuthn will change the way that people access the Web,” said Jeff Jaffe, chief executive of the World Wide Web Consortium (W3C), the body that controls web standards.

One example of how WebAuthn will work is that when a user visits a site they want to log into, they input a user name and then get an alert on their smartphone. Tapping on the alert on their phone then logs them into the website without the need for a password.

WebAuthn promises to protect users against phishing attacks and the use of stolen credentials as there will be nothing to steal, the authentication token is generated and used once by their specific device each time the user logs in.

“After years of increasingly severe data breaches and password credential theft, now is the time for service providers to end their dependency on vulnerable passwords and one-time-passcodes and adopt phishing-resistant FIDO Authentication for all websites and applications,” said Brett McDowell, executive director of the FIDO Alliance, one of the bodies pushing the new standard.

WebAuthn should also help people use unique login details for each and every service they use, instead of using the same login and password for every site, which many people still do leaving them vulnerable to further attacks if one site is hacked.

The W3C has moved WebAuthn to what’s called the “candidate recommendation” stage – the penultimate step before it becomes an approved web standard – inviting sites and services to begin implementing it. The web standards body announced that Google, Microsoft and Mozilla had committed to supporting WebAuthn, meaning that all major web browsers short of Apple’s Safari will implement the new standard.

“While there are many web security problems and we can’t fix them all, relying on passwords is one of the weakest links. With WebAuthn’s multi-factor solutions we are eliminating this weak link,” said Jaffe.

Several sites and services already use similar methods to log in, including Google and Facebook, which can both be logged into using a USB security key. But a single cross-platform, cross-service standard ratified by the W3C will mean that many more sites and services will be able to kill the password as the defacto login method.

WebAuthn is the culmination of many years of work and the change will not happen overnight. But as it increasingly seems inevitable that our email or other online services will get hacked into, removing the password is an important step in improving online security and making using sites and services easier.

Maybe that's a business opportunity for BDaaS (burner devices as a service). With a pricing structure allowing more devices checked out at any given time with higher price._________________The First of April. The day when people critically evaluate information from the internet before accepting it as true.

I'm not associating anything with everything, and certainly not where I'm the product. I briefly tested fingerprint to unlock but stopped using it.

I use F-Droid, not Google Play. I've never signed up for any of the "social space" big players (and don't see the future when I would). Currently the only things I'm signed up for and use are email and here. I have signed up for a couple of small places, but no longer use the logins._________________The First of April. The day when people critically evaluate information from the internet before accepting it as true.

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given Relying Party, are created and stored on an authenticator by the user agent in conjunction with the web application. The user agent mediates access to public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to relying parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.

looks a lot like regular public key authentication ..... ergular RSA or EC-DSA like ssh..

Of course a full RootOfTrust requires that the device is locked, runs original firmware, and is uptodate

The title is misleading since you can use a password to access your certificate (like in ssh), it should be more RIP passowrd sent over the wire, since the password can still be used._________________True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

We're all wrong it's just a standardization of 2F authentication ......

Quote:

1.1. Use Cases

The below use case scenarios illustrate use of two very different types of authenticators, as well as outline further scenarios. Additional scenarios, including sample code, are given later in §12 Sample scenarios.
1.1.1. Registration

On a phone:

User navigates to example.com in a browser and signs in to an existing account using whatever method they have been using (possibly a legacy method such as a password), or creates a new account.

The phone prompts, "Do you want to register this device with example.com?"

User navigates to example.com in a browser, sees an option to "Sign in with your phone."

User chooses this option and gets a message from the browser, "Please complete this action on your phone."

Next, on their phone:

User sees a discrete prompt or notification, "Sign in to example.com."

User selects this prompt / notification.

User is shown a list of their example.com identities, e.g., "Sign in as Alice / Sign in as Bob."

User picks an identity, is prompted for an authorization gesture (PIN, biometric, etc.) and provides this.

Now, back on the laptop:

Web page shows that the selected user is signed in, and navigates to the signed-in page.

1.1.3. Other use cases and configurations

A variety of additional use cases and configurations are also possible, including (but not limited to):

A user navigates to example.com on their laptop, is guided through a flow to create and register a credential on their phone.

A user obtains a discrete, roaming authenticator, such as a "fob" with USB or USB+NFC/BLE connectivity options, loads example.com in their browser on a laptop or phone, and is guided though a flow to create and register a credential on the fob.

A Relying Party prompts the user for their authorization gesture in order to authorize a single transaction, such as a payment or other financial transaction.

_________________True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

Whenever I read the words "new web standard" the first thought that pops up in my head is "no".

++

When I saw the announcement in my RSS reader (yes, I am subscribed to the W3C News RSS feed, no, I don't actually read it) I just rolled my eyes and moved on. I'm happy with my passwords and I don't have that many accounts where I wouldn't be able to keep track of my passwords._________________

It's definitely about time something was done. Having to remember so many passwords, each with their requirements means you start repeating them. If this takes human error and stupidity out then I see it as a great plus point_________________"Sex: breakfast of champions" - James Hunt

It's definitely about time something was done. Having to remember so many passwords, each with their requirements means you start repeating them. If this takes human error and stupidity out then I see it as a great plus point

why do you want to take the livelyhood of phisher away_________________The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king

It's definitely about time something was done. Having to remember so many passwords, each with their requirements means you start repeating them. If this takes human error and stupidity out then I see it as a great plus point

If that's your only problem, it was solved ages ago. It's called a password manager._________________The First of April. The day when people critically evaluate information from the internet before accepting it as true.

It's definitely about time something was done. Having to remember so many passwords, each with their requirements means you start repeating them. If this takes human error and stupidity out then I see it as a great plus point

why do you want to take the livelyhood of phisher away

At the moment I'm Russia and FancyBear's favourite target_________________"Sex: breakfast of champions" - James Hunt

So, basically as soon as one site cracks your not-a-password you are hosed across every site you have ever used or ever will.

Sounds wonderful.

I'm so happy they can replicate my iris remotely

You don't have to. Just set up a nasty JavaScript to intercept whatever the result of the iris scan and provide that when ever you want to log in. Basically how you steal credit card details._________________First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.

So, basically as soon as one site cracks your not-a-password you are hosed across every site you have ever used or ever will.

Sounds wonderful.

Actually the non-password (or password) is used to unlock the HW backed physical keyring on your phone that contains all the certificates that have been exchanged with various web sites.
The non password is only used locally to unlock the keyring on the phone._________________True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

So, basically as soon as one site cracks your not-a-password you are hosed across every site you have ever used or ever will.

Sounds wonderful.

I'm so happy they can replicate my iris remotely

You don't have to. Just set up a nasty JavaScript to intercept whatever the result of the iris scan and provide that when ever you want to log in. Basically how you steal credit card details.

Iris scanning is a mathematical interpretation and is therefore kept under an encrypted system. You would therefor need your javascript to somehow recognise whether it is successful or not. And then steal my phone. And then find somehow to put that mathematical representation into the phone while the sensor is looking at something. And then interrupt the false identification and send the correct maths._________________"Sex: breakfast of champions" - James Hunt

So, basically as soon as one site cracks your not-a-password you are hosed across every site you have ever used or ever will.

Sounds wonderful.

I'm so happy they can replicate my iris remotely

You don't have to. Just set up a nasty JavaScript to intercept whatever the result of the iris scan and provide that when ever you want to log in. Basically how you steal credit card details.

Iris scanning is a mathematical interpretation and is therefore kept under an encrypted system. You would therefor need your javascript to somehow recognise whether it is successful or not. And then steal my phone. And then find somehow to put that mathematical representation into the phone while the sensor is looking at something. And then interrupt the false identification and use the correct maths to unlock the keyring into the phone and use the correct keypair to log in into the website.

FTFY
If it was like you say than your password (the math representation of your iris) would be the password for every website on the 'net, but instead there is a different 'password' that is sent over the wires for every website. Otherwise the guys at google coud look into your yahoo account if the password was the same._________________True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia